Cyber Incident Victim: Platinum Performance

On August 31, 2022, Platinum Performance submitted a data breach notification to the Attorney General of Montana following a cybersecurity incident involving unauthorized access to two employee email accounts. The company first detected the breach on May 6, 2022, when it discovered that an external actor had compromised these accounts through a successful email phishing attack targeting employees. Platinum Performance immediately secured its systems, notified law enforcement agencies, and halted further unauthorized access. The company engaged third-party cybersecurity specialists to conduct a forensic investigation, which determined that the threat actor initially gained access to the email accounts on or around September 8, 2021. This established an eight-month period of unauthorized access lasting from September 2021 through May 2022. The investigation confirmed that the compromised email accounts contained attachments and messages with sensitive consumer information, though the company did not publicly disclose specific data types involved. Based on Montana's breach reporting requirements – which mandate disclosure only for incidents involving Social Security numbers, financial account information, driver's licenses, or state identification numbers – the incident likely exposed one or more of these data categories. Platinum Performance completed its review of affected files in August 2022 and initiated notification letters to impacted consumers on August 31, 2022. The company maintained operations throughout the incident response period while continuing its core business of manufacturing and retailing animal nutritional supplements from its Buellton, California headquarters.

The breach originated from a phishing attack where threat actors deceived employees into providing email account access through socially engineered messages disguised as legitimate communications. While the exact phishing methodology wasn't detailed, the company confirmed attackers used standard techniques such as fraudulent password reset requests, fake storage limit alerts, or malicious links/attachments designed to harvest credentials. Platinum Performance's notification acknowledged the attack's success in compromising two corporate email accounts, though it did not specify whether multiple employees fell victim or if credentials were reused across accounts. As a manufacturer and online retailer generating $23 million annually with 109 employees, the company's email systems contained consumer information related to pet supplement purchases. The forensic review confirmed that exposed data resided within email attachments and messages rather than direct database access. No evidence suggested broader system compromise beyond the two email accounts. The extended access period from September 2021 to May 2022 indicated delayed detection despite the company's security measures. Law enforcement involvement remained at the notification stage without public details about investigative outcomes or attribution. Platinum Performance's response followed standard incident protocols including system containment, third-party forensic analysis, regulatory compliance with Montana's disclosure requirements, and consumer notifications eight months after initial detection and nearly twelve months after initial intrusion.